Check out the new USENIX Web site.
2004 USENIX Annual Technical Conference, June 27-July 2, 2004, Boston Marriott Copley Place, Boston, MA
USENIX '03 Home  | USENIX Home  | Events  | Publications  | Membership








Open Sessions











Overview | By Day (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday) | By Instructor | All in One File

Locations: See the overview.

Thursday, July 1, 2004
R1 Hacking & Securing Web-based Applications—Hands-On (Day 1 of 2) NEW!
David Rhoades, Maven Security Consulting, Inc.
10:30 a.m.–6:00 p.m.
Coding Security
Who should attend: People who are auditing Web application security, developing Web applications, or managing the development of a Web application.

Is your Web application secure? CD Universe,, and others have found out the hard way: encryption and firewalls are not enough. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are incapable of locating security issues for Web-based applications.

With numerous real-world examples from the instructor's years of experience with security assessments, this informative and entertaining course is based on fact, not theory. The course material is presented in a step-by-step approach, and will apply to Web portals, e-commerce (B2B or B2C), online banking, shopping, subscription-based services, or any Web-enabled application.

Class exercises will require that students have an x86-based laptop computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet network card. Please download a copy of KNOPPIX-STD (, burn it to a CD-R, and try to boot your system on a network offering DHCP. Be sure your network card is recognized by Knoppix-STD, otherwise you will not be able to participate in most classroom exercises. Wireless access will not be supported during class.

Topics include:

  • The primary risks facing Web applications
  • Exposures and vulnerabilities in HTML and JavaScript, authentication, and session tracking
  • Tools, techniques, and methodologies required to locate weaknesses
  • Recommendations for mitigating exposures found
  • Best practices for Web application security
Students will be provided access to several target Web applications. Some of these applications are real applications with known security issues. Others are mock applications designed by Maven Security to simulate real security issues. At each step, the instructor will supply the tools needed and demonstrate the required techniques. All software provided will be publicly available freeware.

Day 1

  • Introduction
    • The problem and root causes
    • Web primer: HTTP and HTML
  • Foundational security
    • OS vulnerabilities
    • Web server security highlights
  • Web server and Web application output
    • HTTP headers
    • HTML and JavaScript
    • Encryption ciphers
    • Error messages
    • Caching
  • Authentication
    • Authentication: digital certificates; form-based; HTTP basic
    • Threats to authentication
  • Sign-on
    • User name harvesting
    • Brute-force password guessing
    • Password harvesting
    • Resource exhaustion
Day 2
  • Session issues
    • Session tracking mechanisms
    • Session ID best practices
    • Session cloning
  • Transaction issues
    • Malicious user input
    • Hidden form elements
    • GET vs. POST
    • JavaScript filters
    • Improper application logic
    • Cross-site scripting (XSS)
  • Third-party products
  • Testing procedures
  • Methodology and safety
David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security Consulting, Inc. David Rhoades Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and is an instructor for the SANS Institute, the MIS Training Institute, and Sensecurity (based in Singapore).

R2 Implementing LDAP Directories
Gerald Carter, Samba Team/Hewlett-Packard
10:30 a.m.–6:00 p.m.
Who should attend: Both LDAP directory administrators and architects. The focus is on integrating standard network services with LDAP directories. The examples are based on UNIX hosts and the OpenLDAP directory server and will include actual working demonstrations throughout the course.

System administrators today run a variety of directory services, although these are referred to by names such as DNS and NIS. The Lightweight Directory Access Protocol (LDAP) is the up-and-coming successor to the X500 directory and has the promise of allowing administrators to consolidate multiple existing directories into one.

Topics include:

  • Replacing NIS domains
  • Integrating Samba user accounts
  • Authenticating RADIUS clients
  • Integrating MTAs such as Sendmail, Qmail, or Postfix
  • Creating address books for mail clients
  • Managing user access to HTTP and FTP services
  • Storing DNS zone information
  • Managing printer information
Gerald Carter (R2, F2) has been a member of the Samba Team since 1998. Gerald Carter He has published articles in various Web-based magazines and gives instructional courses as a consultant for several companies. Currently employed by Hewlett-Packard as a Samba developer, Gerald has written books for SAMS Publishing and is the author of the recent LDAP System Administration (O'Reilly & Associates).

R4 But Is It UNIX? A Mac OS X Administrator's Survival Guide NEW!
Aeleen Frisch, Exponential Consulting
10:30 a.m.–6:00 p.m.
BSD Sysadmin
Who should attend: UNIX system administrators who want or need to administer Macintosh systems running Mac OS X and/or Mac OS X Server. Familiarity with standard UNIX system administration concepts and tasks is assumed. No previous Macintosh experience is necessary. Experienced Macintosh users who want to learn about system administration tasks in the Mac OS X environment will also benefit from this course. People very familiar with Max OS X or with the NeXTSTEP environment will find much of this material to be a review. Note that comparisons with NeXTSTEP will not be made.

Topics include:

  • What is this beast and what's Darwin (and why should I care)?
    • System architecture
  • Basic tasks
    • Installation hints and pitfalls
    • Software packages
    • Startup and shutdown
  • File and file systems
    • File system layout
    • File types: resource forks, applications, etc.
  • User management
    • Users and groups
    • Mac OS X shared domains
    • Managed preferences
  • Networking
    • Client configuration
    • Managing standard TCP/IP daemons: DNS, DHCP, NTP, and so on
    • The Mac OS X multiprotocol environment
    • Rendezvous and its implications
  • Process management and performance
  • Managing funky Mac peripherals and user expectations
  • Mac OS X security architecture and implementation
We will note interactions between the UNIX implementation and the Mac graphical user/administrative environment.

Aeleen Frisch (T3, W3, R4) has been a system administrator for over 20 years. She currentlyAeleen Frisch looks after a pathologically heterogeneous network of UNIX and Windows systems. She is the author of several books, including Essential System Administration (now in its 3rd edition).


R5 Intrusion Detection and Prevention Systems
Marcus Ranum, Trusecure Corp.
10:30 a.m.–6:00 p.m.
Who should attend: Network or security managers responsible for an IDS roll-out, security auditors interested in assessing IDS capabilities, security managers involved in IDS product selection.

Overview: This workshop covers the real-world issues you'll encounter as part of doing an intrusion detection roll-out or product selection. Attendees will learn the advantages and disadvantages of popular approaches to Intrusion Detection Systems (IDSes), how to deal with false positives and noise, where to deploy IDSes, how to test them, how to build out-of-band IDS management networks, and how they interact with switches, routers, and firewalls.

Topics include:

  • Technologies
    • IDS and IPS: what they are and how they work
    • Burglar alarms and honeypots—low-rent IDS
    • Misuse detection and anomaly detection
    • False positives, noise, and false alarms
    • Does freeware stack up to the commercial products?
  • Deployment issues
    • Where to place IDS within the network
    • Alert tuning: what it is and how it works
    • How to estimate the size of an IDS deployment
    • How to size and design a logging / management architecture
    • Tools and tricks for logging and event correlation
    • A typical IDS roll-out
    • How to test an IDS for correct function
    • IDS benchmarks: bogus and bogusest
  • Management issues
    • How to justify the expenditures on an IDS to management
    • Cyclical maintenance
    • Alert management procedures

Marcus Ranum (T5, R5, F5) is senior scientist at Trusecure Corp. and a world-renowned expertMarcus Ranum on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.

?Need help? Use our Contacts page.

Last changed: 17 June 2004 ch